ServiceNow Event Management

Michael Skov Thomsen

Solution Architect

Generate incidents based on alert correlation in ServiceNow

Alert Correlation is one of the best features in the ServiceNow Event Management module, especially Rule-based correlation. This feature provides a better overview by correlating multiple alerts into one (parent/child).

Alert to incident is the main purpose with Event Management, and when you have alert correlation, you might not want to create incidents for each alert in the group. This blog explains how to create a single incident, based on automatic alert correlation.

I have created a basic correlation rule for print errors.

Per default this will create two incidents, which might not be desirable when you already decided on creating automatic correlation.

To work around this, add a filter to your Alert Action Rule: Group | is | Rules-based

Now, only one incident is created for the group:

In conclusion, Alert Correlation enables us to create a single incident for a group of alerts, instead of creating multiple irrelevant incidents. By doing so, we limit the amount of incidents to the necessary and provide a better overview of the incidents we need to focus on.

Want a dialogue with the author of this article?